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When verifying programs in Rust, developers care about both memory safety and for 
correctness. Using safe Rust automatically guarantees safety (but not correctness) without the 
need for formal verification but this isn't true of unsafe Rust. 


Safe Rust relies on an aliasing XOR mutability discipline, where mutable references are not 
allowed to alias with any other reference. This works well for tree-shaped data structures but not 
as well for data structures with intentional aliasing (e.g. doubly linked lists, skip lists, DAGs, and 
more general graphs.). Rust has safe built-in library types (e.g. RefCell, Mutex, etc.) that allow 
programmers to work around this restriction by allowing for controlled mutation to shared 
references of these types (interior mutability). This library-controlled mutation, however, often 
guarantees safety via runtime overhead (such as runtime-checking reference counts). An 
alternative strategy for creating these graph-like data structures is to manually use raw pointers 
(which can freely alias memory) in unsafe Rust, but this loses Rust's inherent safety guarantees. 


If a developer wants a safe fast implementation of a graph-like data structure, they might want 
to avoid runtime overhead, but want a way to retain Rust's default safety guarantees. 
Alternatively, a developer might want to develop a graph-like data structure with functional 
properties that are verified for correctness. Unfortunately, suitable current verification tools (like 
Prusti and Creusot) can't generally formally verify this correctness for data structures that use 
interior mutability. 


In this talk, I'll introduce GhostPtrTokens: a type that indirectly adds specifications for operations 
on raw pointers. These specifications are designed to be compatible with existing verification 
techniques for safe Rust, such as those used in Prusti or Creusot. Rather than relying on 
runtime checks (or user responsibility) for safety, using “GhostPtrToken’ as a library is safe if its 
usage is verified by a verification tool. In fact, ‘GhostPtrToken’ is implemented as a ZST (“Zero 
Sized Type”) so it doesn’t come with any run time overhead. It supports operations that allow 
the pointers to be temporarily upgraded to shared or mutable references, but its specifications 
enforce that it doesn't allow for a mutable reference to alias another reference. When combined 
with a verification tool, GhostPtrTokens allows developers to verify efficient graph-like data 
structures for safety and correctness. 


